I'm new in the Azure Relay use and configuration.
I've developed an API that responds with the Relay mechanism ... now my need is to leave the service bus listeners configured by default in Program (or even in startup) like this:
webBuilder.UseAzureRelay(options =>
{
options.UrlPrefixes.Add(Configuration.GetSection("AzureRelay")
.GetValue<string>("SB_HC_CONNECTIONSTRING"));
})
Now I need to add other local addresses so that the API can respond via requests from the on-prem environment in which it is released (like a front-end application).
I've searched in documentations, but unfortunately, there's no evidence of how to gain this behavior, and there is no example of how to use the Relay like a middleware.
Have you any ideas or examples to achieve this?
Azure Relay service facilitates your hybrid applications by enabling you to securely expose services within corporate enterprise network to the public cloud, without having to open a firewall connection or making any changes to corporate network.
Azure Relay addresses the technical challenge of communication between on-premise service and the external application which does not reside on the same premise or firewall. It allows on-premise service to expose a public endpoint. It provides High Availability for On-Premise Services. Azure Relay allows for registering multiple listeners to a single public relay endpoint. This provides a framework for both performance and availability without complex application logic or a costly networking appliance.
There are two Relay offerings from Azure Relay known as WCF Relay and Hybrid Connection.
Using WCF Relay you can initiate the connection between your on-premises service and the relay service using the WCF relay bindings.
Hybrid Connections provide an easy and convenient way to connect the Web Apps feature in Azure App Service and the Mobile Apps feature in Azure App Service to on-premises resources behind your firewall.
Check this Expose an on-premises WCF REST service to external client by using Azure WCF Relay tutorial from Microsoft for more information.
Alternatively we can develop middleware by simply using Azure Service Bus and Functions check this Developing Middleware With Microsoft Azure Service Bus And Functions document for more information.
I dont know of any middleware that does this, but this sample might help you. I managed to send a message from a console app to the relay and forward that request to another endpoint and relay the response back to the client.
This works exactly as NGROK.
To send the message do something like this:
var tokenProvider = TokenProvider.CreateSharedAccessSignatureTokenProvider(
KeyName, Key);
var hbConnectionName = "testing";
var remotePath = "api/weather";
var uri = new Uri($"https://xxx.servicebus.windows.net/{hbConnectionName}/{remotePath}");
var token = (await tokenProvider.GetTokenAsync(uri.AbsoluteUri, TimeSpan.FromHours(1))).TokenString;
var client = new HttpClient();
var request = new HttpRequestMessage()
{
RequestUri = uri,
Method = HttpMethod.Get,
};
request.Headers.Add("ServiceBusAuthorization", token);
var response = await client.SendAsync(request);
Console.WriteLine(await response.Content.ReadAsStringAsync());
Related
We have created our automation framework using Appium-TestNG in which we are accessing our backend servers through RestFul Apis externally. The backend server is also based on AWS and has whitelisted the device farm IPs. When we are executing the tests locally its working fine but when we execute it on AWS Device Farm, it is giving ‘Socket Exception’ when trying to access the backend servers via our apis.
Can anyone give us a solution of how to access external Rest APIS via Device Farm?
The IP range that's in the FAQ of Device Farm point to the devices but not the device host. The device host could have a wide range of IPs but there are two ways(that I've found so far) to get around this issue in theory:
Use the private offering from Device Farm.
If you have access to the private offering for Device Farm, you're able to use the VPC integration with both the devices and the device host. So there shouldn't be any white-listing needed using this method.
Use API Gateway's private VPC integration and call this API from the tests
When using the public offering(metered and unmetered options) we should be able to take advantage of API Gateway's VPC integration. Using an private NLB in the same VPC as the REST API we can create a VPC link. The ending architecture I believe should look like this:
Then we can secure the API using an API key or custom authorizers. So then we can call this API which links to the private REST API from the device host.
Note: This might not be the best workaround depending on the use-case as then the device host will have access to the API key.
Additionally(I know you didn't ask this but wanted to link to it anyway), the easiest way I've found so far to develop REST API calls is to use Postman to make a successful call to the REST API. Then use the code snippet feature to make the same calls in the support languages from postman.
Hope that helps
-James
I just started building a relatively simple supply-chain app by using HyperLedger Composer webApp. In my permission file, I will have several participants that specify which role can do what. It's easy to switch role inside the playground through the wallet. However, I can't find a way to switch at my Angular webApp.
I thought it can be called through the System endpoint in the composer REST Server. But when I trying to "GET" from the /system/identities nothing show up, even I have created several participants. Can someone enlighten me with some examples?
Thank you guys so much!
Developing multi-user application using the Hyperledger Composer REST Server
Firstly, some quick background. What is Hyperledger Composer? It’s a framework for rapidly building Blockchain business networks on top of a Blockchain platform, such as Hyperledger Fabric. It’s pretty cool. You can find some more information here: http://hyperledger.github.io/composer/
Blockchain is a technology for building networks that connect organizations together. Once started, a Blockchain network allows participants to transfer assets between each other by submitting transactions, and those transactions are recorded in an immutable ledger.
So once you have your Blockchain Network how do you integrate with your client application? One solution would be to call the Hyperledger Composer JavaScript APIs directly or you could use the Hyperledger Composer REST Server in multi-user mode.
The Hyperledger Composer REST Server will generate a set of REST endpoints from a Hyperledger Composer Model. The endpoints can then be called from a client application to interact with a Blockchain. When the client applications calls one of the REST endpoints, the REST server will then submit a transaction to the Blockchain. This transaction must be signed by a certificate to say which identity is being used to submit the transaction. When the REST server is started it must be given a identity to use and by defaults all transactions will be signed with this identity.
The REST server can be configured to use authentication. This allows a client application to authenticate with the REST server and then the REST server can distinguish between each of the clients.
However this still doesn’t allow the Blockchain to distinguish between clients. The REST server will still sign each transaction with the same certificate. To enable the REST server to sign each transaction with a different identity per authenticated client the REST server must be configured to use multi-user mode. Each authenticated client will then have a private wallet on the REST server that contains the identity that will be used to sign the transaction on behalf of the different authenticated clients.
This article shows how to configure the REST server for multi-user mode and how it can be called from a client application to add participants and identities and how to submit transactions that are signed by different identities. The client app is written using Angular and will use GitHub authentication to authenticate itself with the REST server. This is just one example of the type of authentication that can be used. The REST server uses an open source library called Passport and there are over 300 plugins that are available to use, eg. LDAP, Facebook, SAML, and Google.
If you haven’t downloaded Hyperledger Composer you can follow the instructions to setup your development environment here: https://hyperledger.github.io/composer/installing/development-tools.
Once you have the development environment setup you firstly need to create and deploy a business network. The one I have used in this article can be found here: https://github.com/caroline-church/collectable-penguin-app/blob/master/collectable-penguin-network.bna. The client app used can be found here: https://github.com/caroline-church/collectable-penguin-app. The app allows users (Collectors of penguins) to sign up and to buy penguins from a “wholesaler” and each user has their own set of penguins which they have bought.
To setup the app you first need to add an OAuth application to GitHub here: https://github.com/settings/developers.
The app needs to have two REST servers running. The first has no authentication and will run in single user mode. This REST server will just be used to create participants and identities when users sign up to the app. It can be started by using the following command.
composer-rest-server -c admin#collectable-penguin-network -p 3001
The second REST server will run in multi-user mode. Firstly you need to set an environment variable to set some properties for the REST server. The and properties can be found in the github OAuth app that was created previously. The successRedirect property is set to the url of where app is running.
export COMPOSER_PROVIDERS='{
"github": {
"provider": "github",
"module": "passport-github",
"clientID": "<CLIENT-ID>",
"clientSecret": "<CLIENT-SECRET>",
"authPath": "/auth/github",
"callbackURL": "/auth/github/callback",
"successRedirect": "http://localhost:4200?loggedIn=true",
"failureRedirect": "/"
}
}'
Once the environment variable is set then the second REST server can be started with the following command
composer-rest-server -c admin#collectable-penguin-network -m true
The client app can then call the REST endpoints. To start the user needs to authenticate with GitHub. This can be done be having a link on the page, the URL is the URL of the multi-user REST server e.g
Sign in with github
Then the user needs to sign up to the app. This data can then be used to create a participant and identity. In this case a Collector participant will be created.
The following will create a Collector participant using the single user REST server
return this.httpClient.post('http://localhost:3001/api/org.collectable.penguin.Collector', collector).toPromise()
The body of the post should be the data the user supplied e.g.
const collector = {
$class: 'org.collectable.penguin.Collector',
collectorId: 'carolineId',
firstName: 'Caroline',
lastName: 'Church'
};
Once the participant has been created then an identity can be issued for that participant, again using the single user REST server. The response type must be set to blob as this endpoint returns a business network card.
return this.httpClient.post('http://localhost:3001/api/system/identities/issue', identity, {responseType: 'blob'}).toPromise();
The body of the post should include the ID and participant created previously e.g.
const identity = {
participant: 'org.collectable.penguin.Collector#carolineId,
userID: carolineId,
options: {}
};
The newly created identity can then be added to the wallet of the multi-user REST server. The card from the previous call to the endpoint is used to create a new file object, this file object is then used to create some formData. A header is added to the request to set the content type to be multipart/form-data. The wallet import endpoint can then be called with the data. The withCredentials option is set in-order to create a cookie to pass the authentication token to the REST server.
const file = new File([cardData], 'myCard.card', {type: 'application/octet-stream', lastModified: Date.now()});
const formData = new FormData();
formData.append('card', file);
const headers = new HttpHeaders();
headers.set('Content-Type', 'multipart/form-data');
return this.httpClient.post('http://localhost:3000/api/wallet/import', formData, {withCredentials: true, headers}).toPromise();
Now the client is authenticated with the REST server and an identity has been added to the wallet the endpoints can now be called. The REST server will submit transactions that are signed with the identity that was previously added.
For example the following HTTP request will get all the available penguins
return this.httpClient.get('http://localhost:3000/api/queries/availablePenguins', {withCredentials: true}).toPromise();
And the next HTTP request will get the penguins that the authenticated user owns
return this.httpClient.get('http://localhost:3000/api/queries/myPenguins', {withCredentials: true}).toPromise();
So now you know how to create a multi-user application using the Hyperledger Composer REST Server! But one last thing. If you have tried running the app you may have noticed alot of pictures of penguins. These are all penguins owned by the Hyperledger Composer team and are given to (or thrown at) people who break the build!
https://medium.com/#CazChurchUk/developing-multi-user-application-using-the-hyperledger-composer-rest-server-b3b88e857ccc
I am trying connect to Dynamics 365 On-premise with the OData client for .net
I tried to authenticate through basic authentication, however this is not working.
var c = new Microsoft.Dynamics.CRM.System(new Uri("https://mycrm01/crm/api/data/v8.2/"));
c.SendingRequest2 += (o, requestEventArgs) => {
var creds = username + ":" + password;
var encodedCreds = Convert.ToBase64String(Encoding.ASCII.GetBytes(creds));
requestEventArgs.RequestMessage.SetHeader("Authentication", "Basic" + encodedCreds);
};
var contacts = c.Contacts.Where(x => x.Firstname=="testuser");
foreach (var contact in contacts)
{
}
The error I recieve is: HTTP Error 401 - Unauthorized: Access is denied
Can someone help me how this is done?
In general I only use the OData client from JavaScript. When using .NET, I use the SDK libraries that provide authentication and access via the CrmServiceClient class.
To use the OData client from C#, this article outlines the various authentication methods: https://msdn.microsoft.com/en-us/library/mt595798.aspx
Web API authentication patterns
There are three different ways to manage authentication when using the
Web API. With JavaScript in web resources
When you use the Web API with JavaScript within HTML web resources,
form scripts, or ribbon commands you don’t need to include any code
for authentication. In each of these cases the user is already
authenticated by the application and authentication is managed by the
application. With on-premises deployments
When you use the Web API for on-premises deployments you must include
the user’s network credentials. The following example is a C# function
that will return an HttpClient configured for a given user’s network
credentials: C#
private HttpClient getNewHttpClient(string userName,string
password,string domainName, string webAPIBaseAddress) {
HttpClient client = new HttpClient(new HttpClientHandler() { Credentials = new NetworkCredential(userName, password, domainName)
});
client.BaseAddress = new Uri(webAPIBaseAddress);
client.Timeout = new TimeSpan(0, 2, 0);
return client;
}
With Microsoft Dynamics 365 (online) or internet facing deployments
When you use the Web API for Dynamics 365 (online) or an on-premises
Internet-facing deployment (IFD) you must use OAuth as described in
Connect to Microsoft Dynamics 365 web services using OAuth.
If you’re creating a single page application (SPA) using JavaScript
you can use the adal.js library as described in Use OAuth with
Cross-Origin Resource Sharing to connect a Single Page Application to
Microsoft Dynamics 365.
My customer wants to have Bluemix Local on their isolated DC from pulic.
They have a policy not to have internet access on the DC. Only allow to connect to internet in a limited period of time based on the IT/LOB request.
I know that the Bluemix Local need to have internet connection with IBM site for the purpose of the Remote maintenance by IBM.
Question:
Is it possible to minimize the on-line time between the Bluemix Local and IBM site ? The customer wants it offline normally and online only at the event of maintenance.
Thank you for your support.
Kohzo
The component that allow Bluemix local to be managed by IBM operation team is called "Relay".
Relay achieves secure connectivity through an open, outbound SSL, VPN tunnel that originates from the inception virtual machine on-premises by using certificates that are specific to each Bluemix Local instance.
The traffic on this tunnel is automated activity for serving and maintaining the platform, compute resources, and services for your instance. The traffic includes the monitoring capability that is used by IBM operations to complete problem determination for your local instance.
Only the IBM team that is working on local environment can securely access Bluemix instance. Access to ocal environment is secured by using two-factor authentication during multiple steps in the connection process. IBM provides a list of the approved users and IDs who can access the environment, and then customer can audit any access to the environment.
Since if a network interruption occurs Relay automatically re-establishes the connection, it does mean that the Relay must be always up .
I am mobile iOS developer and need a demo environment while making a Proof Of Concept app that will run against SAP Mobile Platform 3.0 (SMP) and Netweaver Endpoint using OData service. I need to be testing against SMP Server 3.0 SP05 or SP06 as I need to work with Offline mode as well.
I have setup SAP HANA Cloud Platform Mobile Services on CAL (https://cal.sap.com), configured my application and can successfully execute user registration and on-boarding against the SMP. I am using one of SAP-provided Netweaver demo endpoints, but then I am getting http errors when further making HTTP requests from SMP to the Netweaver endpoint.
The SMP uses HTTPS protocol.
The Netweaver demo endpoint is at https://sapes1.sapdevcenter.com/sap/opu/odata/IWFND/RMTSAMPLEFLIGHT/
It gives me errors like:
Unable to extract request URI: URI must contain a port: https://hcpms-p1941221453trial.hanatrial.ondemand.com/com.sap.flight/
or
Cannot open tunnel with id account:///p1941221453trial
or
HTTPS proxying is not supported. Use HTTP instead. HTTPS is not needed because communication is already secured by the tunnel.
Can somebody please sugest the correct configuration of the end point - Authentication Type, Rewrite Mode, Proxy Type - to get the SMP working with the demo endpoint?
If it is not possible to connect to this NW endpoint from HANA Cloud SMP, can you please sugest another way how to get a demo NW Endpoint with one of SAP sample OData applications? Many thanks.
This may help you for a subset of your issues:
Regarding the HTTPS error, have a look here:
https://help.hana.ondemand.com/help/frameset.htm?9d0e9e8397f544d9a5de5df52fd1e757.html
It mentions: The communication between the XS application and the proxy listening on localhost is always via HTTP. Whether the connection to the on-premise back-end should be HTTP or HTTPS is a matter of access control configuration in the Cloud connector. For more information, see Configuring Access Control (HTTP).
Basically, when something goes through the Cloud Connector, the HANA server uses a the proxy localhost:20003 in HTTP